By Richard White, PhD

Increased difficulty in advanced persistent threat (APT) attribution – With APT attacks increasing and bad-actors choosing to keep older campaigns alive while simultaneously searching for new exploitable weaknesses and more sophisticated techniques, it will prove more difficult to attribute specific actions to specific hackers or hacking groups. This will cause solutions to be delivered more slowly due to the increased complexity of related threat intelligence sharing and the increased difficulty with attribution.

Ransom wear persists – Count on ransomware to continue to plague large and small businesses alike. The ransomware paradigm has proven highly successful and extremely profitable for the bad actors. Given this success it is an easy bet that we have not seen the last of these types of attacks.

New hook same line – Phishing will continue simply because it is a tried and true technique for luring (duping) the good guys into clicking on or downloading packages that provide a range of services to the bad actor. A brief example of these services could be credential theft, key stroke logger, remote control, back doors, etc.

Attacks targeting industries – Yes, we can look forward to attacks against entire industries. Very similar to watering hole or NotPetys, which were both easy to deploy, presented very little risk to the bad guys, and were extremely successful regarding their evil objective. Due to the above attributes associated with these types of attacks it is highly probable that we will see similar attacks across 2019. These attacks may take to form of a commonly used website, specific to an industry, containing malicious code or a public repository being injected with bad code targeting software libraries used within or common to a specific industry.

A now for something completely new: Distributed Denial of Service (DDoS)via Internet of Things — We are starting a new love affair with IoT. We like wearing, seeing, using, holding, anything “ing” IoT – Guiltily as charged. The world of IoT has exploded and we can find these devices virtually everywhere. The unique services they provide, and their ease of use, is a credit to their popularity. But alas the popularity of IoT coupled with their inability to host any type of security or antimalware means a bonanza of exploitable devices that can be used by our cyber adversaries. Expect to see an increase in DDoS attacks fueled by the explosion of the IoT craze.

What should auto dealerships be concerned about?

Auto dealerships need to evaluate what variety of hacker is attracted to their business (a thorough and complete risk analysis works great here). For example, hackers that are driven by ego do not care about the “pay off.” Successfully hacking your dealership is the payment.

Another example is the hacker that is seeking profit and means to breach your perimeter, steal your valuable data and monetize it in the underground. This is more problematic, though less common, than the ego-driven hack. Though they differ in intensity and intent, protecting yourself against different kinds of hackers takes a similar systematic approach.

Begin by assessing the nature of the business and how transactions are conducted. Do you rely on the continued storage of customer data, financial data, or corporate data to run your business? All have various protective elements that should be in place.

The conventional wisdom to defend against hackers is known as defense in depth. Firewalls at the perimeter, anti-malware installed on hosts and servers, encrypting traffic across local and wide area networks, deploying intrusion detection appliances, use of two-factor authentication, are all part of this solution.

However, defense in depth is designed to mitigate an attack, not prevent it entirely. For this reason alone, having the proper backups, authentication, and security controls in place prior to an attack with helps to keep even successful hacks from becoming catastrophic and prolonged.

I recommend that dealerships develop a plan to detect and correct these events in near real-time. By using the term “correct” I mean to mitigate, eradicate, and recover from a breach. Additionally, I recommend using a 4th generation security information and event management (SIEM) tool to help provide real time notification of cyber-attacks.

Richard D. White is an Adjunct Professor at the University of Maryland University College where he is the Course Chair of Cybersecurity Information Assurance. He can be reached at rwhite@olg.com.

40 Comments

Matthew Ryan

Really interesting read. I agree with our society having the new obsession with IoT whether it’s smart watch or smart tv and I am guilty as well when it comes to smart tv. Do you think there is a market to have these types of IoT technologies to try and host antimalware or any type of security? If not, I think more money needs to be put into this market considering in the future, everything could possibly be connected to the Internet. Great article! I enjoyed reading it.

Richard White

Ramon Grullon

The use of phishing attacks is simply too easy to ever go away. Its like crimes of opportunity where a person leaves their car unlocked and valuables in plain sight. Until more emphasis in placed on the users of systems as the weakest link in security, lack of knowledge will lead to these successful phishing attacks.

serge saa-lapnet

Innovative cybersecurity analysis addressing serious threats and attack patterns. Mentions to the IoT are poignant, especially as we are entering in the era of the internet of everything (IoE).
Great applicabilities of cybersecurity recommendations to the auto dealership industry for the upcoming cyber season. This is a great read!

Olivia Atkinson

Hello Professor White,
I agree that ransomware is here to stay. There are so many cyber criminals that get a kick out of holding the user’s information hostage. Users should be cautious when they are opening their email and don’t click on unrecognizable links. Ensure protection for the system by purchasing security software. There is no sure way to prevent ransomware from occurring. I enjoyed reading your article it was very informative.

Richard White

David Burdyck

I feel that attribution naming the host or persistent threat identity will consistently continue to be an issue and near next to impossible to nail down. Part of the problem is even if you were to actually trace back the threat actor to its point of origin; there is a large possibility that this threat actor (non-nation state, individual, group, etc) is acting on behalf of a larger entity; Perhaps a Nation-State actor that represent one of the big four. The IOT is definitely going to be the next major highway avenue of approach for threat adversaries (bad-actors). So many technologies exist without the proper encryption and security technology that it presents the most viable target source to launch attacks from. I foresee big technology industry distributors being forced into having to relook their security angles with products they produce. This will be fueled by the number of sophisticated attacks that we will experience across the IOT platform. Which major industries are currently using (Siem) technology within their organizations now and will this be the next focus for hackers to debunk its validity for capturing threats on a network. Thanks for sharing your insight with the community of Cyber Professionals.

Richard White

Charity

Not many people think of the car dealers when they are talking about hacking, people go in and put all of the information that is needed to buy a car down and doesn’t think more about it. This is a very vulnerable place for people, no one thinks too much about what information they were just giving the dealers when they were shopping. If you want to test drive a car, you have to hand over your license, and it is copied. That one document has all of the information someone needs to cause damage. Any company that deals with computer systems need to be aware that their systems could be compromised and take protective measures.

Dave McD.

Dr. White captured the threat landscape that exists, not only for the automotive industry, but all industries. As hackers exploits, and albeit, successes become more publicized in specific industry verticals, those industry participants feel the sense of urgency and pressure to improve cybersecurity practices, even if they were not directly affected by a breach. Hackers will often follow the path of least resistance to capitalize on high risk and high rewards and move into new areas with less battle-tested defenses. The automotive industry has dramatically evolved in the recent years from an information technology perspective. There are now innumerable end points in the environment and the failure to apply sound security principles in the environment could be catastrophic for an organization.

The recommendations provided by Dr. White are comprehensive and attainable. Understanding the business and assessing the need for data is paramount. If sensitive data is needed to support business functions, then additional security measures need built around that data in for the form of policies, procedures, and security appliances. Further, accepting that defense-in-depth through prevention is not realistic. Organizations should place equal emphasis on detecting events, incidents, and breaches in their networks to minimize impacts. Lastly, communication is critical among industry participants. Sharing threat intelligence not only improves your neighbor’s security practices, but it also improves individual efforts to security – as long as you’re committed.

Richard White

A. Carter

In addition to backups cyber tools employee education is big part of security as well. As you mentioned phishing attempts are the most popular method of attack (and probably always will be) due to the lack of effort required for the attacker. It only takes one unaware user to click a link they shouldn’t or provide their password to “system administrator” for the attacker to gain entry and start working on data collection. The unaware user is essentially able to assist the attacker in negating all the security controls put in place by security personnel.

George Myers

Interesting take on attribution of advanced persistent threats (APT). Just a few years ago, we were at this juncture regarding attribution and we eventually figured out a solution. Now that capabilities and APT trade-craft and behavior has been modified, we’re back to the point where attribution is hard again…unless you’re in the inner circle.

That brings me to the point of government/commercial partnerships. Since essentially any business in the US is a potential target for APTs, it is beneficial for expansion of these partnerships. Countries impacted by sanctions will continue to use state-sanctioned cyber actors to aid in monetary gain to help them meet various national requirements. These countries are not too selective with their targets as their only goal is to expeditiously earn money. The techniques used here can help put together an entire picture for attribution across many APTs.

Richard White

Awesome operational insight and depth. I could not agree more regarding the need to expand the federal and commercial partnerships for the purpose of exchanging threat intel and real-time threat Indicators of Compromise.

T. Walker

Interesting article. At first I was curious as to why the focus on automotive dealerships. Then I started to think about the potential monetary gain. While it’s been sometime since I purchased a vehicle, I assume there is a wealth (pun intended) of customer information stored at, or transmitted from, dealerships. This information would likely include social security numbers for credit checks, credit card numbers from sales and service departments, and banking information for loans. I also assess the infrastructure at the average dealership may not be as hardened as that of a bank or financial institute, thus making them more vulnerable to attack. I then began to consider the vehicles themselves and the risk they present. Technologies like GPS, in dash hard drives, Bluetooth, and WiFi hotspots are becoming more common in vehicles. Similarly, vehicle-to-infrastructure, telematics, and fully autonomous vehicles represent an increased reliance on technology in the automotive industry. These “conveniences” present additional attack vectors for bad actors looking to either prove their hacking prowess or inflict harm. Regarding DDoS attacks, to what extend can vehicles be used as bots in these scenarios? Especially given the common practice of having multiple dealerships located in close proximity. Spoofing a dealership via email for a phishing attack would undoubtedly reap a higher than average success rate. Folks are use to a large amount of paperwork and customer service surveys when purchasing a vehicle. It wouldn’t be hard to use some social engineering to obtain email addresses of new care owners and send them an email to the effect of, “we need to verify your account number” or something along those lines. What is the likelihood that we see a form of ransom ware attacks on vehicles? Imagine trying to get to work and your vehicle won’t start unless you pay X amount. Lastly, while perhaps a greater risk in rentals, individuals who use a loaner car from a dealer, are at risk of divulging information unintentionally by connecting via Bluetooth or USB and downloading their contacts or information associated to their smart device(s). Thank you for a thought provoking article highlighting the fact that any industry is at risk and must take the appropriate measures to protect themselves and their customers.

Simon Liu

The article put several things into perspective, the first is the importance of understanding that we need to consider the long game. This means that more and more complex attacks will be in the future, we need to ensure that we are prepared to meet those challenge and act appropriately. The second is that there are only two things that drive a hacker, ego, and money. The latter is what drives ransomware attacks and why I believe they will grow as long as they remain lucrative. The other point it drives thought is the “same line different hook”, humans are curious by nature and in a sense very unsuspecting because they can be presented with something that might be off or dangerous but if you dangle it in front of us, eventually someone will bite.

I agree with Dr. White’s assessment and recommendation that the best defense is defense in depth. By having a serious of defenses, there are other layers of defenses even if a hacker can breach one layer. Having a backup system in case a recovery is required is also a good idea, regardless if a cloud-based backup system or if a hardware backup is desired, as long as there’s a plan to recover data that could critical to business operations.

Richard White

Andrea S.

This is an eye-opening article. Purchasing IoT products has its challenges as defined by the article. Because of free enterprise, companies that produce and sell IoT products can do so aware of the security concerns. It is up to the consumer to determine whether to accept the risk by purchasing the IoT product or moving onto a non-IoT product.
Consumers would probably choose convenience over security especially with a product like an IoT refrigerator. The thought process, who cares if someone hacks my IoT refrigerator? As a consumer, you might not care unless or until your refrigerator is hacked (forced to turn off) and you have to replace its contents. As a consumer, I would be weary of IoT products until security is addressed.

Olivia Atkinson

I agree that ransomware is here to stay. There are so many cyber criminals that get a kick out of holding the user’s information hostage. Users should be cautious when they are opening their email and don’t click on unrecognizable links. Ensure protection for the system by purchasing security software. There is no sure way to prevent ransomware from occurring. I enjoyed reading your article it was very informative.

Richard White

Olivia Atkinson

Hello Professor White,
I agree that ransomware is here to stay. There are so many cyber criminals that get a kick out of holding the user’s information hostage. Users should be cautious when they are opening their email and don’t click on unrecognizable links. Ensure protection for the system by purchasing security software. There is no sure way to prevent ransomware from occurring. I enjoyed reading your article it was very informative.

Pedro Rosa

This is a very interesting article. You bring up some great examples of attacks that will remain and those on the rise. It is true that the IoT, albeit a convenient tool for us all is very vulnerable to attack. With respect to automobile dealerships, I agree with everything you had to say but I think a bigger concern is the IoT as it pertains to smart technology in vehicles. not too long ago I saw a report on 60 minutes that discussed the dangers of adding smart technology to the automobile industry. I consider this a big danger and am very skeptical to buy in to the prospect of having my vehicle perform actions previously reserved for licensed drivers. I would like to knoe your opinions on this topic.

C. Afeowrk

Great article Dr. White
Even most other business industries face a security breaches, and hacking activities, now a day, hackers looking automotive industry as well. Automotive industry is targeted because its suppliers and vendors have a large database of consumer information, and location based data. Automotive industry such as dealerships and carmakers have big data that includes financial information and also driving statistics which is most hackers and cyber criminals looking for. Due to its big amount of data, hackers targeted automotive industry and it is drawing the attention of lawmakers, regulators and security experts.

Richard White

Thank you for your comments. You nailed it, the large amount of juicy data within the automotive industry makes it a real and viable target. Look for the hacker to move into the smaller and mid-sized organizations (like auto dealerships) this year and continuing into the foreseeable future.

Sarah Scott

Great article with expert insights with regard to imminent threats businesses like automotive dealers are facing in terms of the increasing risks of cyber threats creating vulnerabilities. Over the years consumers have watched as many businesses and their data have been compromised due to lack of cyber security infrastructure and planning. Protecting small businesses from disasters as a result of hackers becoming more and more sophisticated is important to stay vigilant against cyber attacks. Some dealerships could be vulnerable to the mentioned issues that endanger the personal information of customers and employees alike.

Such data breaches not only would prove an immediate business threat to dealerships, they also could result in spooked consumers never doing business with hacked stores again. An auditing firm recently surveyed a variety of dealerships in five states to show the impact of data security on the sales and reputations of dealerships, that regularly conducts security audits for all areas of dealerships. The survey found that nearly 84 percent of consumers would not buy another car from a dealership after their data had been compromised by a breach at the dealership. The study also found that around 33 percent of consumers lack confidence in the security of their personal and financial data when buying a vehicle at a dealership.

Car dealerships can be prime locations for hackers looking for personal data. Dealerships, in some cases, could have more information on consumers than their local banks do. From a hacker’s perspective, it’s much easier to hack a dealership than a bank.
For example, service departments, which usually have Wi-Fi connections available for customers, as potential weak spots that hackers can exploit. If the Wi-Fi is not separate from the main network of a dealership, it would take a sophisticated hacker only six minutes to break into it. It often takes a dealership much longer to discover the breach — the average is 208 days.

Cash is one issue holding some stores back. Dedicated security personnel on staff can be an expensive prospect for smaller stores. Only 30 percent of the surveyed dealerships employ a network engineer with computer security certifications and training. Some stores can open themselves up to security failings by not being vigilant. For instance, the survey conducted found that more than 70 percent of dealerships are not up to date on their anti-virus software. The majority of surveyed dealerships aren’t confronting their weaknesses to see where improvement is needed; The survey also reported that only 25 percent of dealerships have hired third-party vendors to try to hack into their networks to test their vulnerability. Dealerships are under pressure to hit sales targets, so their primary focus is on delivering cars. This can lead to stores making mistakes.

Sincerus A. Kingsly

As always, This is a must read. Ransomware attacks are going to keep growing throughout our cyber universe because companies will just pay attackers, especially to decrypt their sensitive data and the attackers know this. Whats worse is that once an attacker gets paid, sometimes they will request an even larger sum of money. In a lot of cases, even if the attacker is paid, they will still destroy the data and make it inaccessible. Phishing will always continue because that’s how victims are lured, and its a great method.

When it comes to car dealerships, client’s Personally Identifiable Information (PII) is stored all throughout their database. to add insult to injury, automobiles now a days offer attackers many methods to attack the vehicle as well as the dealership and/or financial institution that the buyer of the auto has his/her loan through. For instance, We all understand that that dealership and/or the finance company has to have tracking on the vehicle “just in case”. Dealership’s and or financial institution’s data is stored in the vehicle’s database. a hacker can hack that vehicle, gain unauthorized access, and from there access the vehicle’s computer system where the dealership’s and/or financial institution’s information is stored. from there, the attacker could possibly gain access into the dealership and/or financial institution to possible steal data or any other malicious activities deemed appropriate by the attacker.

Richard White

Great feedback. I see that we are aligned regarding our concern over the growing Ransomware problem and what the future holds in kind. I recently wrote an article regarding the hacking of autonomous vehicles and how they can be hacked and weaponized – scary stuff. Thank you again for your excellent insight and perspective.

Post Topics

Become A Contributor

If you are active in the automotive buy sell arena, we would like to talk to you about contributing to Automotive Buy Sell Report. We are looking for active professionals who understand this part of the automobile industry [...]
Learn More

About Us

Automotive Buy Sell Report is the first website and weekly report to give participants in the automotive dealership buy sell industry [...]Learn More

Advertise With Us

Advertising on Automotive Buy Sell Report is a great way to specifically target those [...] Learn More